© 2015 VMware Inc. All rights reserved.

Consistent Network & Security services for Containers and VMs

Guru Shetty Sai Chaitanya

The case for Network Virtualization

CONFIDENTIAL 2

VM1

Traditional Data Center

- Network Architecture

- Layer 3 boundary –

Aggregation Layer

- VLANs in Access Layer

and Virtual Switch

Layer 3

Layer 2

vSwitch

Access Switch

Aggregation Switch / Router

Baremetal DB

The case for Network Virtualization

CONFIDENTIAL 3

Datacenter Network Tunnels (VXLAN, Geneve, STT)

VM1 VM2 VM3 VM4 VM5 VM6

Drivers for Virtualized Networking

- Cloud – software defined

network

- Multi-tenancy – with

overlapping IP addresses (

typical use cases acquisitions

and mergers)

- Flexible and programmatic

workload placement

The Case for Microsegmentation

CONFIDENTIAL 4

Data center 1 Perimeter

Security in a Traditional Data Center

- Security configuation at Layer 3

boundary

- Huge surface exposed for attack –

i.e. attack can move laterally

throughout the VLAN domain

The Case for Microsegmentation

CONFIDENTIAL 5

Datacenter Network Tunnels (VXLAN, Geneve, STT)

VM1 VM2 VM3 VM4 VM5 VM6

Security in a Modern Data Center

- FW per VM or host

- Limits the lateral spread of

an attack

- Distributed Firewall

- In kernel

- Line rate performance

- FW context moves along

with the workload

FW per vNIC

Virtual Networking constructs

CONFIDENTIAL 6

• Logical Switch

• Logical Port

• Firewall rule (ACL)

• Logical Router

• Logical Router Port

• Distributed Loadbalancer

The intelligent edge

CONFIDENTIAL 7

Hypervisor

OVS

Openflow

OVSDB

Coke

Pepsi

NSX/OVN

CMS / Container

Orchestrators

What’s new in the Data Center

CONFIDENTIAL 8

R

VTEP

TOR L3

Hypervisor

Hypervisor

V1 V

2

C1 C

2

C

3

C

4

OVS OVS

VTEP TOR

L2

P1

P2

Datacenter Network (Tunnels)

- Containers running

in VMs

- Containers running

on Baremetal Servers

Design goals for Container integration

CONFIDENTIAL 9

- Unique IP Address per container

- No NAT based solution – complex to manage at scale

- Avoid overlays on overlays

- Poor Performance

- Lack of visibility for troubleshooting & monitoring

- Security (Firewall) enforcement per container interface

- Protect other workloads from a compromised Container

- Network segment that spans Baremetal, Containers and VMs

- Service Chaining for Containers – e.g. IDS & Distributed Load Balancing

Docker Integration

CONFIDENTIAL 10

Hypervisor

OVS

Datacenter Network

Docker Host VM

C1

C2

C3

OVS Untrusted

Trusted

Docker Integration

CONFIDENTIAL 11

Hypervisor

OVS

Datacenter Network

C1

C2

C3

OVS

VM

OVS

C4

C5

C1

C3

C4

S

C2

C5

S

VM

R Extern

al

Logical Space

Docker Security

CONFIDENTIAL 12

Hypervisor

OVS

Datacenter Network

Docker Host VM

C1

C2

C3

OVS

Distributed

Firewall

Docker OpenStack Integration

CONFIDENTIAL 13

• docker network create -d openvswitch --subnet=192.168.1.0/24 foo

• docker run --net=foo --name=busybox busybox

Docker OpenStack Integration

CONFIDENTIAL 14

OVS

HV

C

2

C

3

OV

S

plugin

C

1

Docker

Neutron

OVN

Nova

Tenant

VM

OVN – VM overlays

CONFIDENTIAL 15

C1 C2 C3 C4

OVS OVS OVS

Tunnels

VM VM VM

Kubernetes integration

CONFIDENTIAL 16

Cloud Native Apps in Enterprises

17

- Cloud Native technologies will bring “web-scale” like agility and continuous delivery to the enterprise

- Customers are deploying next generation apps to either PaaS platforms or Container Clusters

- Customers are also refactoring existing apps using Containers and embracing Devops

- NSX will integrate with PaaS and Container Orchestration platforms

NSX NSX

NSX for cloud-native apps

18

Solution

NSX Kubernetes Plugin NSX Docker Plugin

K8 Spec Docker Compose

Bare metal (Linux) and Virtual Machines (KVM & vSphere)

Containers

Connectivity Availability Security

Enterprise-grade networking and security for cloud-native apps

Enables admin to run apps on any cloud – VMware, OpenStack

and Public Cloud

Single platform for all apps – VM,

bare metal and Containers